Clustered Data ONTAP 8.3File Access Management Guide for
CIFSNetApp, Inc.495 East Java DriveSunnyvale, CA
94089U.S.Telephone: +1 (408) 822-6000Fax: +1 (408) 822-4501Support
telephone: +1 (888) 463-8277Web: www.netapp.comFeedback:
[email protected] number: 215-09147_B0January
2015ContentsUnderstanding SMB file access with Data ONTAP
................................15How namespaces and volume
junctions affect SMB access on SVMs withFlexVol volumes
.................................................................................................15What
namespaces in SVMs with FlexVol volumes are
................................15Volume junction usage rules
.........................................................................16How
volume junctions are used in SMB and NFS namespaces
...................16What the typical NAS namespace architectures
are ...................................... 16LIF configuration
requirements for file access management
.................................... 20How security styles affect
data access
......................................................................20What
the security styles and their effects are
................................................21Where and when to
set security styles
..........................................................22How to
decide on what security style to use on SVMs with FlexVolvolumes
....................................................................................................
22How security style inheritance works
...........................................................22How
authentication provides SMB access security
..................................................23Kerberos
authentication
.................................................................................
23NTLM authentication
....................................................................................24How
name mapping is used to secure SMB file access on SVMs with
FlexVolvolumes
................................................................................................................
24How name mapping works
............................................................................
25How Data ONTAP secures file and directory access
................................................ 25Role that export
policies play with SMB access
.......................................................26Very large
CIFS configuration changes might take some time to finish
..................26Configuring and managing Active Directory
computer accounts forSVMs (no CIFS license)
........................................................................28How
to choose whether to create a CIFS server or an Active
Directorycomputer account
.................................................................................................
28Managing Active Directory computer accounts
........................................................ 29Creating
Active Directory computer accounts for SVMs
.............................29Changing the Active Directory domain
to which the SVM computeraccount is associated
................................................................................
31Table of Contents | 3Displaying information about Active
Directory computer accounts forSVMs
.......................................................................................................32Deleting
Active Directory computer accounts for SVMs
.............................33Changing or resetting Active
Directory computer account passwords forSVMs
.......................................................................................................34Managing
domain controller connections for Active Directory computeraccounts
...............................................................................................................35Displaying
information about discovered Active Directory servers forSVMs
.......................................................................................................35Resetting
and rediscovering Active Directory servers
..................................36Adding or removing preferred
domain controllers
.......................................37Displaying information
about preferred domain controllers .........................
38Configuring and managing CIFS servers
................................................40Supported SMB
clients and domain controllers
........................................................
40Unsupported Windows features
................................................................................40Where
to find information about SMB support on Infinite Volumes
.......................41How to choose whether to create a CIFS
server or an Active Directorycomputer account
.................................................................................................
41Setting up CIFS servers on SVMs with FlexVol volumes
........................................ 42Prerequisites for CIFS
server setup
...............................................................42Planning
the CIFS server configuration
........................................................43Setting
up the CIFS server
............................................................................58Managing
CIFS servers
.............................................................................................82Using
options to customize CIFS servers
.....................................................82Managing
CIFS server security settings
........................................................
93Configuring SMB on your CIFS server
......................................................102Using SMB
signing to enhance network security
.......................................108Using LDAP over SSL/TLS
to secure communication ..............................117Improving
client performance with traditional and lease oplocks
..............121Using IPv6 for SMB access and CIFS services
..........................................128Applying Group Policy
Objects to CIFS servers
........................................132Managing domain
controller connections
...................................................150Changing CIFS
servers computer account passwords
................................153Managing NetBIOS aliases for
CIFS servers ..............................................
155Managing miscellaneous CIFS server tasks
................................................ 159Setting up file
access using SMB
.............................................................1664 |
File Access Management Guide for CIFSConfiguring security styles
......................................................................................
166Configuring security styles on SVM root volumes
.....................................166Configuring security styles
on FlexVol volumes
........................................167Configuring security
styles on qtrees
..........................................................167Creating
and managing data volumes in NAS namespaces
....................................168Creating data volumes with
specified junction points
................................168Creating data volumes without
specifying junction points .........................169Mounting or
unmounting existing volumes in the NAS namespace ...........
170Displaying volume mount and junction point information
.........................171Securing file access by using
Storage-Level Access Guard
...................................173Use cases for using
Storage-Level Access Guard
.......................................175Workflow to configure
Storage-Level Access Guard
.................................175Configuring Storage-Level
Access Guard
..................................................176Displaying
information about Storage-Level Access Guard
....................... 182Removing Storage-Level Access Guard
.....................................................183Configuring
character mapping for SMB file name translation on FlexVolvolumes
..............................................................................................................
185Commands for managing character mappings for SMB file
nametranslation
..............................................................................................187Creating
name mappings
.........................................................................................188Name
mapping conversion rules
.................................................................188Creating
a name mapping
............................................................................
190Commands for managing name mappings
..................................................191Configuring
multidomain name-mapping searches
................................................191Multidomain
searches for UNIX user to Windows user name mappings ...
192Enabling or disabling multidomain name mapping searches
...................... 194Resetting and rediscovering trusted
domains ..............................................
195Displaying information about discovered trusted domains
......................... 195Adding, removing, or replacing trusted
domains in preferred trusteddomain lists
............................................................................................
196Displaying information about the preferred trusted domain list
.................198Creating and configuring SMB shares
....................................................................199What
the default administrative shares are
.................................................199Share naming
considerations
.......................................................................
201Non-Unicode clients not supported
.............................................................
202Elimination of execute permission requirements on share paths
................202Table of Contents | 5Information you need when
creating SMB shares
......................................203Creating an SMB share on a
CIFS server
...................................................204Adding or
removing share properties on an existing SMB share
...............212Viewing information about SVM shares using the
MMC ..........................215Commands for managing SMB shares
........................................................
216Securing file access by using SMB share ACLs
.....................................................216Managing
SMB share-level ACLs
..............................................................217How
Data ONTAP uses share-level ACLs
.................................................217Creating SMB
share access control lists
.....................................................218Commands
for managing SMB share access control lists
..........................220Securing file access by using file
permissions
........................................................220Configuring
standard NTFS file permissions by using the WindowsSecurity tab
............................................................................................221Configuring
advanced NTFS file permissions using the WindowsSecurity tab
............................................................................................223How
to configure NTFS file permissions using the Data ONTAP CLI ......
227How UNIX file permissions provide access control when accessing
filesover SMB
...............................................................................................
227Securing file access by using Dynamic Access Control (DAC)
.............................228Supported Dynamic Access Control
functionality ......................................
230Considerations when using Dynamic Access Control and central
accesspolicies with CIFS servers
.....................................................................
231Enabling or disabling Dynamic Access Control
.........................................232Configuring central
access policies to secure data on CIFS servers
...........233Displaying information about Dynamic Access Control
security ............... 236Revert considerations for Dynamic
Access Control ...................................237Where to find
additional information about configuring and usingDynamic Access
Control and central access policies ............................
238Securing SMB access using export policies
............................................................ 238How
export policies are used with SMB access
.........................................239What happens to
existing SMB export policies when upgrading
...............240Enabling or disabling export policies for SMB
access ...............................241How export rules work
................................................................................242Examples
of export policy rules that restrict or allow access over SMB ....
244Considerations when reverting export policies for SMB
............................246Managing file access using SMB
.............................................................2476 |
File Access Management Guide for CIFSUsing local users and groups
for authentication and authorization ........................247How
Data ONTAP uses local users and groups
.......................................... 247What local privileges
are
.............................................................................
252Requirements and considerations
................................................................
254Predefined BUILTIN groups and default privileges
...................................255Enabling or disabling local
users and groups functionality ........................256Managing
local user accounts
.....................................................................259Managing
local groups
................................................................................267Managing
local privileges
...........................................................................275Configuring
bypass traverse checking
....................................................................280Allowing
users or groups to bypass directory traverse checking
................ 282Disallowing users or groups from bypassing
directory traverse checking .. 283Displaying information about file
security and audit policies
................................284Displaying information about
file security on NTFS security-stylevolumes
..................................................................................................
285Displaying information about file security on mixed
security-stylevolumes
..................................................................................................
288Displaying information about file security on UNIX
security-stylevolumes
..................................................................................................
291Displaying information about NTFS audit policies on FlexVol
volumesusing the CLI
.........................................................................................293Displaying
information about NFSv4 audit policies on FlexVol volumesusing the
CLI
.........................................................................................295Managing
NTFS file security, NTFS audit policies, and Storage-Level
AccessGuard on SVMs using the CLI
..........................................................................297Use
cases for using the CLI to set file and folder security
.......................... 298Limits when using the CLI to set file
and folder security ...........................299How security
descriptors are used to apply file and folder security
...........299Configuring and applying file security on NTFS files
and folders usingthe CLI
...................................................................................................
300Configuring and applying audit policies on NTFS files and
folders usingthe CLI
...................................................................................................
316Considerations when managing security policy jobs
..................................331Commands for managing NTFS
security descriptors .................................331Commands
for managing NTFS DACL access control entries
..................332Commands for managing NTFS SACL access control
entries ...................332Table of Contents | 7Commands for
managing security policies
.................................................333Commands for
managing security policy tasks
........................................... 333Commands for
managing security policy jobs
............................................334Using security
tracing to verify or troubleshoot file and directory access
.............. 334How security traces work
............................................................................334Types
of access checks security traces monitor
..........................................335Considerations when
creating security traces
.............................................336Performing security
traces
...........................................................................
337How to interpret security trace results
.........................................................
346Configuring the metadata cache for SMB shares
.................................................... 347How SMB
metadata caching works
............................................................347Enabling
the SMB metadata cache
..............................................................
347Configuring the lifetime of SMB metadata cache entries
...........................348Managing file locks
.................................................................................................349About
file locking between protocols
.........................................................349How
Data ONTAP treats read-only bits
.....................................................349How Data
ONTAP differs from Windows on handling locks on sharepath
components
....................................................................................350Displaying
information about locks
............................................................350Breaking
locks
.............................................................................................
352Monitoring SMB activity
........................................................................................353Displaying
SMB session information
.........................................................353Displaying
information about open SMB files
...........................................357Determining which
statistics objects and counters are available
................360Displaying statistics
.....................................................................................
363Deploying CIFS client-based services
..................................................... 365Using
offline files to allow caching of files for offline use
....................................365Requirements for using
offline files
............................................................
366Considerations when deploying offline files
............................................... 366Configuring
offline files support on SMB shares using the CLI
................367Configuring offline files support on SMB shares
by using the ComputerManagement MMC
...............................................................................369Using
roaming profiles to store user profiles centrally on a CIFS
serverassociated with the SVM
...................................................................................370Requirements
for using roaming profiles
.................................................... 370Configuring
roaming profiles
......................................................................
3718 | File Access Management Guide for CIFSUsing folder
redirection to store data on a CIFS server
..........................................372Requirements for using
folder redirection
..................................................372Configuring
folder redirection
....................................................................373How
to access the ~snapshot directory from Windows clients using SMB
2.x ...... 373Recovering files and folders using Previous Versions
............................................ 374Requirements for
using Microsoft Previous Versions
................................375Using the Previous Versions tab
to view and manage Snapshot copydata
........................................................................................................376Determining
whether Snapshot copies are available for PreviousVersions use
...........................................................................................
377Creating a Snapshot configuration to enable Previous Versions
access .....378Considerations when restoring directories that
contain junctions ............... 379Deploying CIFS server-based
services
...................................................380Managing home
directories
.....................................................................................380How
clustered Data ONTAP enables dynamic home directories
...............380Adding a home directory share
...................................................................382Adding
a home directory search path
..........................................................
384Creating a home directory configuration using the %w and %d
variables .386Configuring home directories using the %u variable
.................................. 388Additional home directory
configurations
..................................................391Commands for
managing search paths
........................................................
392Displaying information about an SMB user's home directory path
............392Managing accessibility to users' home directories
......................................393Configuring SMB client
access to UNIX symbolic links
.......................................394How Data ONTAP enables
you to provide SMB client access to UNIXsymbolic links
........................................................................................
395Limits when configuring UNIX symbolic links for SMB access
...............396How to control automatic DFS advertisements in
clustered DataONTAP with a CIFS server option
.......................................................396Managing
whether the CIFS server automatically advertises DFScapabilities
.............................................................................................397Configuring
UNIX symbolic link support on SMB shares
.........................398Creating symbolic link mappings for SMB
shares ...................................... 400Commands for
managing symbolic link mappings
..................................... 401Using BranchCache to cache
SMB share content at a branch office
......................402Requirements, considerations, and
recommendations ................................402Table of
Contents | 9Configuring BranchCache
...........................................................................
405Configuring BranchCache-enabled SMB shares
......................................... 410Managing and
monitoring the BranchCache configuration
........................414Disabling BranchCache on SMB shares
.....................................................425Disabling
or enabling BranchCache on the SVM
.......................................427Deleting the BranchCache
configuration on SVMs ....................................428What
happens to BranchCache when reverting
..........................................430Improving Microsoft
remote copy performance
.....................................................430How ODX
works
.........................................................................................
431Requirements for using ODX
......................................................................
433Considerations for using ODX
....................................................................434Use
cases for ODX
......................................................................................435Enabling
or disabling ODX
.........................................................................
436Improving client response time by providing SMB automatic node
referralswith Auto Location
............................................................................................
437Requirements and considerations when using automatic node
referrals ..... 438Support for automatic node referrals
...........................................................
440Enabling or disabling SMB automatic node referrals
.................................441Using statistics to monitor
automatic node referral activity .......................442How to
monitor client-side SMB automatic node referral informationusing a
Windows client
.........................................................................444Providing
folder security on shares with access-based enumeration
......................444Enabling or disabling access-based
enumeration on SMB shares ..............444Enabling or disabling
access-based enumeration from a Windows client ..446Configuring
Data ONTAP for Microsoft Hyper-V and SQL Serverover SMB solutions
..............................................................................447What
nondisruptive operations for Hyper-V and SQL Server over SMB means
...448Protocols that enable nondisruptive operations over SMB
.........................449Key concepts about nondisruptive
operations for Hyper-V and SQLServer over SMB
...................................................................................449How
SMB 3.0 functionality supports nondisruptive operations overSMB
shares
............................................................................................
451What the Witness protocol does to enhance transparent failover
...............451Share-based backups with Remote VSS
.................................................................453Remote
VSS concepts
.................................................................................454Example
of a directory structure used by Remote VSS
..............................45510 | File Access Management Guide
for CIFSHow SnapManager for Hyper-V manages Remote VSS-based
backupsfor Hyper-V over SMB
..........................................................................
456How ODX copy offload is used with Hyper-V and SQL Server over
SMBshares
.................................................................................................................457Configuration
requirements and considerations
...................................................... 459Data
ONTAP and licensing requirements
...................................................459Network and
data LIF requirements
............................................................
460CIFS server and volume requirements for Hyper-V over SMB
.................. 461CIFS server and volume requirements for SQL
Server over SMB ............. 462Continuously available share
requirements and considerations forHyper-V over SMB
...............................................................................463Continuously
available share requirements and considerations for SQLServer over
SMB
...................................................................................464Remote
VSS considerations for Hyper-V over SMB configurations
.........466ODX copy offload requirements for SQL Server and
Hyper-V overSMB
.......................................................................................................
467Recommendations for SQL Server and Hyper-V over SMB
configurations .......... 467Planning the Hyper-V or SQL Server
over SMB configuration .............................468Completing
the volume configuration worksheet
.......................................468Completing the SMB share
configuration worksheet
.................................470Creating Data ONTAP
configurations for nondisruptive operations with Hyper-V and SQL
Server over SMB
............................................................................472Verifying
that both Kerberos and NTLMv2 authentication are permitted(Hyper-V
over SMB shares)
..................................................................
474Verifying that domain accounts map to the default UNIX user
.................. 475Verifying that the security style of the SVM
root volume is set to NTFS ..477Verifying that required CIFS server
options are configured ....................... 478Verifying that
automatic node referrals are disabled
..................................480Creating NTFS data volumes
......................................................................481Creating
continuously available SMB shares
.............................................. 482Adding the
SeSecurityPrivilege privilege to the user account (for SQLServer of
SMB shares)
...........................................................................
483Configuring the VSS shadow copy directory depth (for Hyper-V
overSMB shares)
..........................................................................................484Managing
Hyper-V and SQL Server over SMB configurations
.............................485Configuring existing shares for
continuous availability .............................485Table of
Contents | 11Enabling or disabling VSS shadow copies for Hyper-V
over SMBbackups
..................................................................................................488Considerations
for reverting Hyper-V over SMB configurations
...............489Considerations for reverting SQL Server over SMB
configurations ..........490Using statistics to monitor Hyper-V and
SQL Server over SMB activity ..............490Determining which
statistics objects and counters are available
................491Displaying SMB statistics
...........................................................................493Verifying
that the configuration is capable of nondisruptive operations
................494How to use health monitoring to determine
whether nondisruptiveoperation status is healthy
.....................................................................494Displaying
nondisruptive operation status by using system healthmonitoring
.............................................................................................495Verifying
the continuously available SMB share configuration
.................496Verifying LIF status
....................................................................................498Determining
whether SMB sessions are continuously available
................500Auditing NAS events on SVMs with FlexVol volumes
.......................... 507How auditing works
................................................................................................508Basic
auditing concepts
...............................................................................508How
the Data ONTAP auditing process works
..........................................509Aggregate space
considerations when enabling auditing ............................
511Auditing requirements and considerations
..............................................................511What
the supported audit event log formats are
...................................................... 512Viewing
audit event logs
.........................................................................................
512How active audit logs are viewed using Event Viewer
............................... 513SMB events that can be audited
..............................................................................514Determining
what the complete path to the audited object is
.....................516Considerations when auditing symlinks and
hard links ..............................517Considerations when
auditing alternate NTFS data streams ....................... 518NFS
file and directory access events that can be audited
.......................................519Planning the auditing
configuration
........................................................................520Creating
a file and directory auditing configuration on SVMs
...............................525Creating the auditing
configuration
.............................................................
526Enabling auditing on the SVM
....................................................................
528Verifying the auditing configuration
...........................................................
528Configuring file and folder audit policies
...............................................................529Configuring
audit policies on NTFS security-style files and directories
....52912 | File Access Management Guide for CIFSConfiguring
auditing for UNIX security style files and directories ............
534Displaying information about audit policies applied to files and
directories .......... 534Displaying information about audit
policies using the Windows Securitytab
..........................................................................................................535Displaying
information about NTFS audit policies on FlexVol volumesusing the
CLI
.........................................................................................536Managing
auditing configurations
..........................................................................538Manually
rotating the audit event logs
........................................................539Enabling
and disabling auditing on SVMs
.................................................. 539Displaying
information about auditing configurations
...............................541Commands for modifying auditing
configurations .....................................542Deleting an
auditing configuration
..............................................................
543What the process is when reverting
.............................................................
543Troubleshooting auditing and staging volume space issues
.................................... 544How to troubleshoot space
issues related to the event log volumes ...........544How to
troubleshoot space issues related to the staging volumes
(clusteradministrators only)
...............................................................................
545Using FPolicy for file monitoring and management on SVMs
withFlexVol volumes
...................................................................................546How
FPolicy works
.................................................................................................546What
the two parts of the FPolicy solution are
...........................................546What synchronous and
asynchronous notifications are
..............................547Roles that cluster components play
with FPolicy implementation .............548How FPolicy works with
external FPolicy servers
.....................................548What the node-to-external
FPolicy server communication process is ........550How FPolicy
services work across SVM namespaces
................................ 552FPolicy configuration types
....................................................................................553When
to create a native FPolicy configuration
...........................................553When to create a
configuration that uses external FPolicy servers .............
554How FPolicy passthrough-read enhances usability for hierarchical
storagemanagement
.......................................................................................................
554How read requests are managed when FPolicy passthrough-read
isenabled
...................................................................................................
555Requirements, considerations, and best practices for configuring
FPolicy ............556Ways to configure FPolicy
..........................................................................556Requirements
for setting up FPolicy
...........................................................556Table
of Contents | 13Best practices and recommendations when setting up
FPolicy ................... 557Passthrough-read upgrade and revert
considerations ..................................558What the steps
for setting up an FPolicy configuration are
....................................558Planning the FPolicy
configuration
.........................................................................
559Planning the FPolicy external engine configuration
...................................560Planning the FPolicy event
configuration
...................................................569Planning the
FPolicy policy configuration
.................................................. 575Planning the
FPolicy scope configuration
................................................... 581Creating the
FPolicy configuration
.........................................................................584Creating
the FPolicy external engine
..........................................................585Creating
the FPolicy event
..........................................................................587Creating
the FPolicy policy
.........................................................................
587Creating the FPolicy scope
..........................................................................
589Enabling the FPolicy policy
........................................................................590Modifying
FPolicy configurations
..........................................................................591Commands
for modifying FPolicy configurations
...................................... 591Enabling or disabling
FPolicy policies
........................................................
592Displaying information about FPolicy configurations
............................................592How the show
commands work
..................................................................593Commands
for displaying information about FPolicy configurations
........593Displaying information about FPolicy policy status
...................................594Displaying information about
enabled FPolicy policies .............................595Managing
FPolicy server connections
....................................................................596Connecting
to external FPolicy servers
.......................................................
596Disconnecting from external FPolicy servers
.............................................597Displaying
information about connections to external FPolicy servers ......
597Displaying information about the FPolicy passthrough-read
connectionstatus
......................................................................................................600Copyright
information
.............................................................................603Trademark
information
...........................................................................
604How to send comments about documentation and receive
updatenotification
............................................................................................
605Index
...........................................................................................................
60614 | File Access Management Guide for CIFSUnderstanding SMB file
access with Data ONTAPThere are certain SMB file access concepts
you should understand before you configure a CIFSserver and then
configure SMB shares to let SMB clients access files on your
cluster.How namespaces and volume junctions affect SMB accesson
SVMs with FlexVol volumesYou must understand what namespaces and
volume junctions are and how they work to correctlyconfigure SMB
access on Storage Virtual Machines (SVMs) in your storage
environment.Related conceptsCreating and managing data volumes in
NAS namespaces on page 168Related tasksConfiguring character
mapping for SMB file name translation on FlexVol volumes on page
185What namespaces in SVMs with FlexVol volumes areA namespace is a
logical grouping of volumes that are joined together at junction
points to create asingle, logical file system that derives from the
Storage Virtual Machine (SVM) root volume. EachSVM has a
namespace.CIFS and NFS servers on a data SVM can store and access
data across the namespace. Each clientcan access the entire
namespace by mounting an export or accessing a single SMB share at
the top ofthe namespace.Alternatively, SVM administrators can
create exports at each volume junction so that clients cancreate
mount points at intermediate locations in the namespace, or they
can create SMB shares thatpoint to any directory path in the
namespace.Volumes can be added at any time by mounting them to any
location in the namespace. Clients canimmediately access the newly
added volume, provided that the volume junction is under the point
atwhich they are accessing the namespace and provided that they
have sufficient permissions.15Volume junction usage rulesVolume
junctions are a way to join individual volumes together into a
single, logical namespace toenable data access to NAS clients.
Understanding how volume junctions are formed helps you tointerpret
and apply the usage rules.When NAS clients access data by
traversing a junction, the junction appears to be an
ordinarydirectory. A junction is formed when a volume is mounted to
a mount point below the root and isused to create a file-system
tree. The top of a file-system tree is always the root volume,
which isrepresented by a slash (/). A junction leads from a
directory in one volume to the root directory ofanother volume.
Although specifying a junction point is optional when a volume is
created, data in the volumecannot be exported (NFS) and a share
cannot be created (CIFS) until the volume is mounted to ajunction
point in the namespace. A volume that was not mounted during volume
creation can be mounted post-creation. New volumes can be added to
the namespace at any time by mounting them to a junction point.
Mounted volumes can be unmounted; however, unmounting a volume
disrupts NAS client accessto all data in the volume and to all
volumes mounted at child junction points beneath theunmounted
volume. Junction points can be created directly below a parent
volume junction, or they can be created ona directory within a
volume.For example, a path to a volume junction for a volume named
vol3 might be /vol1/vol2/vol3, or it might be /vol1/dir2/vol3, or
even /dir1/dir2/vol3.How volume junctions are used in SMB and NFS
namespacesYou can mount volumes at junction points anywhere within
the namespace to create a single, logicalnamespace. If you specify
a junction point when the volume is created, the volume is
automaticallymounted at the time the volume is created and is
available for NAS access. You can create SMBshares and NFS exports
on the mounted volume.If you do not specify a junction point, the
volume is online but is not mounted for NAS file access.You must
mount a volume to a junction point before it can be used for NAS
file access.What the typical NAS namespace architectures areAll
Storage Virtual Machine (SVM) name spaces derive from the root
volume; however, there areseveral typical NAS namespace
architectures that you can use as you create your SVM name
space.You can choose the namespace architecture that matches your
business and workflow needs.The top of the namespace is always the
root volume, which is represented by a slash (/). Thenamespace
architecture under the root falls into three basic categories:16 |
File Access Management Guide for CIFS A single branched tree, with
only a single junction to the root of the namespace Multiple
branched trees, with multiple junction points to the root of the
namespace Multiple stand-alone volumes, each with a separate
junction point to the root of the name spaceNamespace with single
branched treeAn architecture with a single branched tree has a
single insertion point to the root of the SVMnamespace. The single
insertion point can be either a junctioned volume or a directory
beneath theroot. All other volumes are mounted at junction points
beneath the single insertion point (which canbe a volume or a
directory).(/)SVM rootA1A1 A2A2 A3A3 AA41 A42A42 A41 A4A51A51 A5
A52A53A52 A53AA4A5rootFor example, a typical volume junction
configuration with the above namespace architecture mightlook like
the following configuration, where all volumes are junctioned below
the single insertionpoint, which is a directory named data:
Junction JunctionVserver Volume Active Junction Path Path
Source------- ------------ -------- -------------------
-----------vs1 corp1true /data/dir1/corp1RW_volumevs1 corp2true
/data/dir1/corp2RW_volumevs1 data1true /data/data1 RW_volumevs1
eng1 true /data/data1/eng1RW_volumevs1 eng2 true
/data/data1/eng2RW_volumeUnderstanding SMB file access with Data
ONTAP | 17vs1 salestrue /data/data1/sales RW_volumevs1 vol1 true
/data/vol1RW_volumevs1 vol2 true /data/vol2RW_volumevs1 vol3 true
/data/vol3RW_volumevs1 vs1_root -/ -Namespace with multiple
branched treesAn architecture with multiple branched trees has
multiple insertion points to the root of the SVMnamespace. The
insertion points can be either junctioned volumes or directories
beneath the root. Allother volumes are mounted at junction points
beneath the insertion points (which can be volumes
ordirectories).(/)C3SVM rootrootAAA3 AA1 A2A2 A3BB1B2 B B1B2CC1C1 C
C2C2 C3C3For example, a typical volume junction configuration with
the above namespace architecture mightlook like the following
configuration, where there are three insertion points to the root
volume of theSVM. Two insertion points are directories named data
and projects. One insertion point is ajunctioned volume named
audit: Junction JunctionVserver Volume Active Junction Path Path
Source------- ------------ -------- -------------------
-----------vs1 audittrue /auditRW_volumevs1 audit_logs1true
/audit/logs1RW_volumevs1 audit_logs2true /audit/logs2RW_volumevs1
audit_logs3true /audit/logs3RW_volumevs1 engtrue /data/eng
RW_volume18 | File Access Management Guide for CIFSvs1 mktg1true
/data/mktg1 RW_volumevs1 mktg2true /data/mktg2 RW_volumevs1
project1 true /projects/project1RW_volumevs1 project2 true
/projects/project2RW_volumevs1 vs1_root -/ -Namespace with multiple
stand-alone volumesIn an architecture with stand-alone volumes,
every volume has an insertion point to the root of theSVM
namespace; however, the volume is not junctioned below another
volume. Each volume has aunique path, and is either junctioned
directly below the root or is junctioned under a directory belowthe
root.(/) SVM rootrootA BBCCDDEE AFor example, a typical volume
junction configuration with the above namespace architecture
mightlook like the following configuration, where there are five
insertion points to the root volume of theSVM, with each insertion
point representing a path to one volume. Junction JunctionVserver
Volume Active Junction Path Path Source------- ------------
-------- ------------------- -----------vs1 engtrue
/engRW_volumevs1 mktg true /vol/mktg RW_volumeUnderstanding SMB
file access with Data ONTAP | 19vs1 project1 true /project1
RW_volumevs1 project2 true /project2 RW_volumevs1 salestrue
/salesRW_volumevs1 vs1_root -/ -LIF configuration requirements for
file access managementTo properly manage file access control, Data
ONTAP must communicate with external services suchas NIS, LDAP, and
Active Directory servers. The Storage Virtual Machine (SVM) LIFs
must beproperly configured to allow these communications.The
communication with external services happens over the data LIF of
the SVM. Therefore, youmust ensure that the SVM has a data LIF
properly configured to reach all required external services.Related
conceptsSetting up the CIFS server on page 58Related
informationClustered Data ONTAP 8.3 Network Management GuideHow
security styles affect data accessEach volume and qtree on the
storage system has a security style. The security style determines
whattype of permissions are used for data on volumes when
authorizing users. You must understand whatthe different security
styles are, when and where they are set, how they impact
permissions, how theydiffer between volume types, and more.Related
conceptsManaging how file security is presented to SMB clients for
UNIX security-style data on page 88Related tasksConfiguring
security styles on SVM root volumes on page 166Configuring security
styles on FlexVol volumes on page 167Configuring security styles on
qtrees on page 16720 | File Access Management Guide for CIFSWhat
the security styles and their effects areThere are four different
security styles: UNIX, NTFS, mixed, and unified. Each security
style has adifferent effect on how permissions are handled for
data. You must understand the different effects toensure that you
select the appropriate security style for your purposes.It is
important to understand that security styles do not determine what
client types can or cannotaccess data. Security styles only
determine the type of permissions Data ONTAP uses to control
dataaccess and what client type can modify these permissions.For
example, if a volume uses UNIX security style, SMB clients can
still access data (provided thatthey properly authenticate and
authorize) due to the multiprotocol nature of Data ONTAP.
However,Data ONTAP uses UNIX permissions that only UNIX clients can
modify using native tools.SecuritystyleClients thatcan
modifypermissionsPermissions thatclients can useResulting
effectivesecurity styleClients that canaccess filesUNIX NFS NFSv3
mode bits UNIX NFS and SMBNFSv4.x ACLs UNIXNTFS SMB NTFS ACLs
NTFSMixed NFS or SMB NFSv3 mode bits UNIXNFSv4.x ACLs UNIXNTFS ACLs
NTFSUnified(only forInfiniteVolumes)NFS or SMB NFSv3 mode bits
UNIXNFSv4.1 ACLs UNIXNTFS ACLs NTFSWhen the security style is mixed
or unified, the effective permissions depend on the client type
thatlast modified the permissions because users set the security
style on an individual basis. If the lastclient that modified
permissions was an NFSv3 client, the permissions are UNIX NFSv3
mode bits.If the last client was an NFSv4 client, the permissions
are NFSv4 ACLs. If the last client was anSMB client, the
permissions are Windows NTFS ACLs.Note: Data ONTAP initially sets
some default file permissions. By default, the effective
securitystyle on all data in UNIX, mixed, and unified security
style volumes is UNIX and the effectivepermissions type is UNIX
mode bits (0755 unless specified otherwise) until configured by a
clientas allowed by the default security style. By default, the
effective security style on all data in NTFSsecurity style volumes
is NTFS and has an ACL allowing full control to
everyone.Understanding SMB file access with Data ONTAP | 21Related
informationClustered Data ONTAP 8.3 Infinite Volumes Management
GuideWhere and when to set security stylesSecurity styles can be
set on FlexVol volumes (both root or data volumes) and qtrees.
Security stylescan be set manually at the time of creation,
inherited automatically, or changed at a later time.Note: Infinite
Volumes always use the unified security style. You cannot configure
or change thesecurity style of an Infinite Volume.How to decide on
what security style to use on SVMs with FlexVol volumesTo help you
decide what security style to use on a volume, you should consider
two factors. Theprimary factor is the type of administrator that
manages the file system. The secondary factor is thetype of user or
service that accesses the data on the volume.When you configure the
security style on a volume, you should consider the needs of
yourenvironment to ensure that you select the best security style
and avoid issues with managingpermissions. The following
considerations can help you decide:Security style Choose if...UNIX
The file system is managed by a UNIX administrator. The majority of
users are NFS clients. An application accessing the data uses a
UNIX user as the serviceaccount.NTFS The file system is managed by
a Windows administrator. The majority of users are SMB clients. An
application accessing the data uses a Windows user as the
serviceaccount.Mixed The file system is managed by both UNIX and
Windows administrators andusers consist of both NFS and SMB
clients.How security style inheritance worksIf you do not specify
the security style when creating a new FlexVol volume or qtree, it
inherits itssecurity style.Security styles are inherited in the
following manner:22 | File Access Management Guide for CIFS A
FlexVol volume inherits the security style of the root volume of
its containing Storage VirtualMachine (SVM). A qtree inherits the
security style of its containing FlexVol volume. A file or
directory inherits the security style of its containing FlexVol
volume or qtree.Infinite Volumes cannot inherit security styles.
All files and directories in Infinite Volumes alwaysuse the unified
security style. The security style of an Infinite Volume and the
files and directories itcontains cannot be changed.How
authentication provides SMB access securityAuthentication is the
process of verifying the identity of an entity. Before users can
create SMBconnections to access data contained on the Storage
Virtual Machine (SVM), they must beauthenticated by the domain to
which the CIFS server belongs.The CIFS server supports two
authentication methods, Kerberos and NTLM (NTLMv1 or
NTLMv2).Kerberos is the default method used to authenticate domain
users.Related conceptsHow name mapping is used to secure SMB file
access on SVMs with FlexVol volumes on page24How Data ONTAP secures
file and directory access on page 25Using local users and groups
for authentication and authorization on page 247Related
tasksSetting the CIFS server minimum authentication security level
on page 93Modifying the CIFS server Kerberos security settings on
page 94Enabling or disabling AES encryption for Kerberos-based
communication on page 96Enabling or disabling required password
complexity for local SMB users on page 100Kerberos
authenticationData ONTAP supports Kerberos authentication when
creating authenticated SMB sessions.Kerberos is a protocol designed
to provide strong authentication within a client/server
environment.The basis of the protocol is a shared secret key
cryptology system that provides secure authenticationin a networked
environment.Kerberos is the primary authentication service for
Active Directory. The Kerberos server, orKerberos Key Distribution
Center (KDC) service, stores and retrieves information about
securityprinciples in the Active Directory. Unlike the NTLM model,
Active Directory clients who want toestablish a session with
another computer, such the CIFS server, contact a KDC directly to
obtaintheir session credentials.Understanding SMB file access with
Data ONTAP | 23KDC Resource SID Compression featureThe Key
Distribution Center (KDC) can use the Resource SID Compression
feature when ActiveDirectory servers are hosted on Windows Server
2012.Microsoft introduced an enhancement to its Kerberos
implementation for Windows Server 2012 thatwas later called KDC
Resource SID Compression, in which the KDC automatically compresses
thegroup security identifiers (SIDs) in the resource domain. This
compression can reduce the size of theservice ticket and reduce
application authentication failures caused by large ticket sizes.
To compressresource SIDs, the KDC stores the SID of the resource
domain of which the target resource is amember. The KDC inserts
only the RID portion of each resource SID into the
ResourceGroupIdsportion of the authentication data.NTLM
authenticationNTLM client authentication is done using a challenge
response protocol based on shared knowledgeof a user-specific
secret based on a password.If a user creates an SMB connection
using a local Windows user account, authentication is donelocally
by the CIFS server using NTLMv2.How name mapping is used to secure
SMB file access onSVMs with FlexVol volumesUser mapping between a
Windows user and a UNIX user is a fundamental part of
multiprotocolaccess. Multiprotocol access over SMB depends on user
mapping between a users Windows identityand UNIX identity to
evaluate the users rights to perform file and folder operations
within volumesand qtrees.Data ONTAP always maps the users Windows
identity to the users UNIX identity during theauthentication
process. The information about the mapped UNIX user and the UNIX
user's groupsare saved with the Windows user's credential. Hence, a
user credential also contains its mappedUNIX credential.Data ONTAP
maps user names. It does not map groups. However, because group
membership iscritically important when determining file access, as
part of the mapping process the mapped UNIXusers group membership
is retrieved and cached along with the user mapping
information.Related conceptsHow name mapping works on page 25How
Data ONTAP secures file and directory access on page 25Creating
name mappings on page 188Configuring multidomain name-mapping
searches on page 19124 | File Access Management Guide for
CIFSRelated tasksConfiguring the default UNIX user on page 159How
name mapping worksData ONTAP goes through a number of steps when
attempting to map user names. They includechecking the local name
mapping database and LDAP, trying the user name, and using the
defaultuser if configured.When Data ONTAP has to map credentials
for a user, it first checks the local name mappingdatabase and LDAP
server for an existing mapping. Whether it checks one or both and
in whichorder is determined by the name service configuration of
the Storage Virtual Machine (SVM). For Windows to UNIX mappingIf no
mapping is found, Data ONTAP checks whether the lowercase Windows
user name is avalid user name in the UNIX domain. If this does not
work, it uses the default UNIX userprovided that it is configured.
If the default UNIX user is not configured and Data ONTAPcannot
obtain a mapping this way either, mapping fails and an error is
returned. For UNIX to Windows mappingIf no mapping is found, Data
ONTAP tries to find a Windows account that matches the UNIXname in
the CIFS domain. If this does not work, it uses the default CIFS
user, provided that it isconfigured. If the default CIFS user is
not configured and Data ONTAP cannot obtain a mappingthis way
either, mapping fails and an error is returned.How Data ONTAP
secures file and directory accessData ONTAP evaluates three levels
of security to determine whether an entity is authorized toperform
a requested action on files and directories residing on the Storage
Virtual Machine (SVM).Access is determined by the effective
permissions after evaluation of the three security levels.Types of
security layersAny storage object can contain up to three types of
security layers: Export (NFS) and share (SMB) securityExport and
share security applies to client accesses to a given NFS export or
SMB share. Userswith administrative privileges can manage export
and share-level security from SMB and NFSclients. Storage-Level
Access Guard file and directory securityStorage-Level Access Guard
security is applied to SVM volumes. Storage-Level Access
Guardapplies to all accesses from all NAS protocols to the storage
object to which the Storage-LevelAccess Guard has been
applied.Understanding SMB file access with Data ONTAP | 25If you
view the security settings on a file or directory from an NFS or
SMB client, you will notsee the Storage-Level Access Guard
security. Storage-Level Access Guard security cannot berevoked from
a client, even by a system (Windows or UNIX) administrator. NTFS,
UNIX, and NFSv4 native file-level securityNative file-level
security exists on the file or directory that represents the
storage object. You canset file-level security from a client. File
permissions are effective regardless of whether SMB orNFS is used
to access the data.How Data ONTAP uses Storage-Level Access Guard
for NFS accessOnly NTFS access permissions are supported for
Storage-Level Access Guard. For Data ONTAP toperform security
checks on UNIX users for access to data on volumes where
Storage-Level AccessGuard is applied, the UNIX user must map to a
Windows user on the SVM that owns the volume.Storage-Level Access
Guard does not apply to SVMs that are UNIX only SVMs and that do
notcontain CIFS servers.Related conceptsHow security styles affect
data access on page 20How name mapping is used to secure SMB file
access on SVMs with FlexVol volumes on page 24Configuring security
styles on page 166Creating and configuring SMB shares on page
199Securing file access by using SMB share ACLs on page 216Securing
file access by using file permissions on page 220Securing file
access by using Storage-Level Access Guard on page 173Role that
export policies play with SMB accessExport policies for SMB access
are optional starting with Data ONTAP 8.2, and they are disabled
bydefault. You can enable export policies for SMB if you want to
provide an additional layer of SMBaccess control, in addition to
Storage-Level Access Guard and share and file permissions.Related
conceptsSecuring SMB access using export policies on page 238Very
large CIFS configuration changes might take sometime to finishWhen
you enter CLI commands on the storage system, they are typically
executed instantaneously.However, when the CLI command results in a
large CIFS configuration change, it might take a while26 | File
Access Management Guide for CIFSfor the configuration change to
finish after you entered the CLI command and received
confirmationthat it was successful.The larger the change and the
more objects are affected, the longer it can take to complete.
Examplesfor this delay are creating several thousand new shares or
modifying several thousand share ACLs.The following command areas
are affected by this delay: Servers Home directories Shares Share
ACLs Superusers Symlink path mapping Server securityIf you make
such very large configuration changes, allow time for the changes
to finish.Understanding SMB file access with Data ONTAP |
27Configuring and managing Active Directorycomputer accounts for
SVMs (no CIFS license)You can create and manage an Active Directory
(AD) computer account for a Storage VirtualMachine (SVM, formerly
known as Vserver) even if you do not have CIFS licensed on any of
thecluster nodes. You can also configure and manage preferred
domain controllers for the AD computeraccount.How to choose whether
to create a CIFS server or an ActiveDirectory computer accountYou
can configure your Storage Virtual Machine (SVM) with a CIFS server
that is a member of anActive Directory domain, or if you do not
have CIFS licensed, you can create a computer account foryour SVM
on an Active Directory domain. You need to understand how the
configurations differ andhow to choose whether you should create a
CIFS server or an Active Directory computer account onyour SVM.You
can only have one Active Directory account per SVM. Therefore, you
must make a choice aboutwhether to create a CIFS server or an
Active Directory computer account. If you currently have an Active
Directory computer account configured on the SVM and
yousubsequently license CIFS on the cluster and want to create a
full-function CIFS server on theSVM, you must first delete the
Active Directory computer account. If you currently have a CIFS
server on the SVM and you subsequently do not need a full
CIFSserver on the SVM and want to configure an Active Directory
computer account instead, youmust first delete the CIFS server.CIFS
serverYou should choose to create a CIFS server if the following is
true: You have CIFS licensed on the cluster.The CIFS license can be
on one or more nodes. You want to offer file services and other
value-add CIFS functionality, such as home directoriesor symlink
access to SMB clients.Active Directory computer accountYou should
choose to create an Active Directory machine account if the
following is true: You do not have CIFS licensed on the cluster.28
| File Access Management Guide for CIFS You want to create an
Active Directory computer account for the SVM and use it for
purposesother than file services or value-add CIFS
functionality.For example, you might want to use an Active
Directory account as the service account forapplications accessing
data over the iSCSI or FC protocols.Related conceptsManaging Active
Directory computer accounts on page 29Setting up the CIFS server on
page 58Managing Active Directory computer accountsYou can manage
Active Directory computer accounts by creating, displaying
information about, ordeleting the computer account, changing the
domain to which the computer account belongs, andchanging or
resetting the computer account password.Related conceptsHow to
choose whether to create a CIFS server or an Active Directory
computer account on page28Managing Active Directory computer
accounts on page 29Setting up CIFS servers on SVMs with FlexVol
volumes on page 42Creating Active Directory computer accounts for
SVMsYou can create an Active Directory computer account for your
Storage Virtual Machine (SVM) ifyou want the SVM to have a computer
account in the domain, but do not want to license CIFS or donot
need to configure SMB file access or CIFS value-add
functionality.Before you begin The cluster time must be
synchronized to within five minutes of the time on the Active
Directorydomain controllers for the domain to which you want to
associate the SVM computer account.The recommendation is to
configure cluster NTP services to use the same NTP servers for
timesynchronization as the Active Directory domain uses or to use
the Active Directory domaincontrollers as the cluster time servers.
You must have sufficient permissions to add a computer account to
the OU (organizational unit)in the domain to which you want to
associate the SVM computer account. The SVM must have a data LIF
properly configured to reach all required external servers, such
asDNS servers and the Active Directory domain controllers. DNS must
be configured on the SVM, and the DNS servers must either be set to
the ActiveDirectory-integrated DNS for the domain to which you want
to associate the computer account,Configuring and managing Active
Directory computer accounts for SVMs (no CIFS license) | 29or the
DNS servers must contain the service location records (SRV) for the
domain LDAP anddomain controller servers.About this taskYou must
keep the following in mind when creating the Active Directory
computer account: The Active Directory computer account name can be
up to 15 characters in length.The following characters are not
allowed:@ # * ( ) = + [ ] | ; : " ,< > \ / ? You must use the
fully qualified domain name (FQDN) when specifying the domain. The
default is to add the Active Directory computer account to the
CN=Computer object.You can choose to add the computer account to a
different OU by using the optional -ou option.When specifying the
OU, you do not specify the domain portion of the distinguished
name, youonly specify the OU or CN portion of the distinguished
name. Data ONTAP appends the valueprovided for the required -domain
parameter onto the value provided for the -ou parameter toproduce
the Active Directory distinguished name, which is used when
creating the ActiveDirectory computer account object.Steps1.Create
the Active Directory computer account:vserver active-directory
create -vserver vserver_name -account-nameNetBIOS_account_name
-domain FQDN [-ou organizational_unit]2.Verify that the Active
Directory computer account has been created in the desired OU by
usingthe vserver active-directory show command.ExampleThe following
command creates the Active Directory computer account named vs1 for
SVMvs1 in the myexample.com domain. The computer account is placed
in theOU=eng,DC=myexample,DC=com container.cluster1::> vserver
active-directory create -vserver vs1 -account-name vs1 -domain
myexample.com -ou OU=engIn order to create an Active Directory
machine account, you must supply thename and password of a Windows
account with sufficient privileges to addcomputers to the "OU=eng"
container within the "myexample.com" domain.Enter the user name:
Admin_userEnter the password:cluster1::> vserver
active-directory show30 | File Access Management Guide for
CIFSAccount Domain/Workgroup VserverNameName --------------
----------- ---------------- vs1VS1 MYEXAMPLERelated conceptsHow to
choose whether to create a CIFS server or an Active Directory
computer account on page28Managing domain controller connections
for Active Directory computer accounts on page 35Changing the
Active Directory domain to which the SVM computer accountis
associatedYou can change the Active Directory domain to which the
Storage Virtual Machine (SVM) computeraccount is associated. This
can be useful if you want to use an account from another domain for
anapplication's service account or if you are migrating SVM
resources used by applications to anotherdomain.Before you begin
The time set on the cluster nodes must match to within five minutes
of the time set on the ActiveDirectory domain controllers for the
domain to which you want to associate the SVM computeraccount.The
recommendation is to configure cluster NTP services to use the same
NTP servers for timesynchronization as the new Active Directory
domain uses or to use the Active Directory domaincontrollers of the
new domain as the cluster time servers. You must have sufficient
permissions to add a computer account to the OU (organizational
unit)in the new domain to which you want to associate the SVM
computer account. The DNS servers for the SVM must either be set to
the Active Directory-integrated DNS for thenew domain to which you
want to associate the SVM computer account, or the DNS servers
mustcontain the service location records (SRV) for the domain LDAP
and domain controller servers.About this task You must use the
fully qualified domain name (FQDN) when specifying the domain. When
changing the domain to which the Active Directory computer account
is associated, thecomputer account in the new domain is placed in
the CN=Computers container.You cannot specify where to place the
computer account when changing the domain. If you wantthe location
of the computer account to be in a container other than
CN=Computers container,you must delete the Active Directory account
and re-create it by using the vserver active-directory create
command.Configuring and managing Active Directory computer accounts
for SVMs (no CIFS license) | 31Steps1.Change the domain of the
Active Directory computer account:vserver active-directory modify
-vserver vserver_name -domain FQDN2.Verify that the Active
Directory computer account has been created in the CN=Computer
byusing the vserver active-directory show command.ExampleThe
following command changes the domain for the Active Directory
computer accountnamed vs1 for SVM vs1 to the example.com domain.
The computer account is placed in theCN=Computers
container.cluster1::> vserver active-directory modify -vserver
vs1 -domain example.comIn order to create an Active Directory
machine account, you must supply thename and password of a Windows
account with sufficient privileges to addcomputers to the
"CN=Computers" container within the "example.com" domain. Enter the
user name: Admin_userEnter the password:cluster1::> vserver
active-directory showAccount Domain/Workgroup VserverNameName
-------------- ----------- ---------------- vs1VS1
EXAMPLEDisplaying information about Active Directory computer
accounts for SVMsYou can display information about Active Directory
computer accounts for Storage Virtual Machines(SVMs), including the
SVM computer account name, the name of the domain to which the
computeraccount is associated, and the organizational unit where
the computer account is located.Step1.Display information about
Active Directory computer accounts for SVMs by using the
vserveractive-directory show command.You can customize the view by
specifying optional parameters. See the man page for thecommand for
details.ExamplesThe following command displays information about
all Active Directory accounts for SVMson the cluster:32 | File
Access Management Guide for CIFScluster1::> vserver
active-directory showAccount Domain/Workgroup VserverNameName
-------------- ----------- ---------------- vs1CIFSSERVER1 EXAMPLE
vs2CIFSSERVER2 EXAMPLE2The following command displays detailed
information about all Active Directory accounts forSVMs on the
cluster:cluster1::> vserver active-directory show
-instanceVserver: vs1Active Directory account NetBIOS Name:
CIFSSERVER1NetBIOS Domain/Workgroup Name: EXAMPLEFully Qualified
Domain Name: EXAMPLE.COMOrganizational Unit: CN=ComputersVserver:
vs2Active Directory account NetBIOS Name: CIFSSERVER2NetBIOS
Domain/Workgroup Name: EXAMPLEFully Qualified Domain Name:
EXAMPLE2.COMOrganizational Unit: CN=ComputersDeleting Active
Directory computer accounts for SVMsIf you no longer want a Storage
Virtual Machine (SVM) to have a computer account in an
ActiveDirectory domain or if you want to configure a CIFS server on
the SVM instead of an ActiveDirectory computer account, you can
delete the computer account.Before you beginYou must have
sufficient permissions to delete a computer account from the OU
(organizational unit)in the Active Directory domain that contains
the SVM computer account.About this taskThe SVM can have either an
Active Directory computer account or a CIFS server, but it cannot
haveboth. If you currently have an Active Directory computer
account on your SVM and want to create aCIFS server on that SVM,
you must first delete the Active Directory computer account before
youcan create the CIFS server.Steps1.Delete the Active Directory
computer account:vserver active-directory delete -vserver
vserver_nameConfiguring and managing Active Directory computer
accounts for SVMs (no CIFS license) | 33You are asked to enter the
user name and password of a user with sufficient permission to
deletethe computer account from the OU where the computer account
is located.2.Verify that the computer account is deleted:vserver
active-directory showExampleThe following command deletes the
Active Directory computer account on SVM vs2:cluster1::> vserver
active-directory showAccount Domain/Workgroup VserverNameName
-------------- ----------- ---------------- vs1VS1 EXAMPLE vs2VS2
MYEXAMPLEcluster1::> vserver active-directory delete -vserver
vs2In order to delete an Active Directory machine account, you must
supply thename and password of a Windows account with sufficient
privileges to removecomputers from the "example.com" domain.Enter
the user name: Admin_userEnter the password:cluster1::> vserver
active-directory showAccount Domain/Workgroup VserverNameName
-------------- ----------- ---------------- vs1VS1 EXAMPLEChanging
or resetting Active Directory computer account passwords forSVMsYou
can change the password for the Active Directory computer account
for good security practices,or reset it if the password is
lost.Step1.Perform one of the following actions:If you... Use the
command...Know the password and wantto change itvserver
active-directory password-change -vservervserver_name34 | File
Access Management Guide for CIFSIf you... Use the command...Do not
know the passwordand want to reset itvserver active-directory
password-reset -vservervserver_nameA password reset might be
required if the password stored along with themachine account in
the Active Directory domain is changed or reset bysomething other
than by the Storage Virtual Machine (SVM). Theoperation requires
the credentials for a user with permission to reset thepassword in
the organizational unit (OU) that contains the
computeraccount.-vserver is the name of the SVM associated with the
Active Directory account whose domainpassword you want to change or
reset.Managing domain controller connections for ActiveDirectory
computer accountsYou can manage domain controller connections for
Active Directory computer accounts bydisplaying information about
discovered Active Directory servers, resetting and rediscovering
theActive Directory servers, configuring a list of preferred domain
controllers, and displaying the list ofpreferred domain
controllers.Related conceptsManaging Active Directory computer
accounts on page 29Displaying information about discovered Active
Directory servers for SVMsYou can display information related to
discovered LDAP servers and domain controllers for thedomain to
which the Storage Virtual Machine (SVM) computer account is
associated.About this taskThe vserver active-directory
discovered-servers show command is an alias of thevserver cifs
domain discovered-servers show command. You can use either command
todisplay information about discovered Active Directory servers on
your SVM.Step1.To display all or a subset of the information
related to discovered servers, enter the followingcommand:vserver
active-directory discovered-servers showBy default, the command
displays the following information about discovered
servers:Configuring and managing Active Directory computer accounts
for SVMs (no CIFS license) | 35 Node name SVM name Active Directory
domain name Server type Preference Domain controller name Domain
controller address StatusYou can customize the view by specifying
optional parameters. See the man page for thecommand for
details.ExampleThe following command shows discovered servers for
SVM vs1:cluster1::> vserver active-directory discovered-servers
show -vserver vs1Node: node1Vserver: vs1Domain Name Type Preference
DC-Name DC-AddressStatus------------- -------- ----------
--------------- ---------------
-------""NISpreferred192.168.10.222192.168.10.222OKexample.com
MS-LDAPadequate DC-1192.168.192.24OKexample.com MS-LDAPadequate
DC-2192.168.192.25OKexample.com MS-DCadequate
DC-1192.168.192.24OKexample.com MS-DCadequate
DC-2192.168.192.25OKResetting and rediscovering Active Directory
serversResetting and rediscovering Active Directory servers on your
Storage Virtual Machine (SVM)enables the SVM to discard stored
information about LDAP servers and domain controllers.
Afterdiscarding server information, the SVM reacquires current
information about these external servers.This can be useful when
the connected servers are not responding appropriately.About this
taskThe vserver active-directory discovered-servers reset-servers
command is analias of the vserver cifs domain discovered-servers
reset-servers command. Youcan use either command to reset and
rediscover Active Directory servers on your SVM.36 | File Access
Management Guide for CIFSSteps1.Enter the following command:vserver
active-directory discovered-servers reset-servers
-vservervserver_name2.Display information about the newly
rediscovered servers:vserver active-directory discovered-servers
show -vserver vserver_nameExampleThe following command resets and
rediscovers servers for SVM vs1:cluster1::> vserver
active-directory discovered-servers reset-servers -vserver
vs1cluster1::> vserver active-directory discovered-servers
showNode: node1Vserver: vs1Domain NameType Preference DC-Name
DC-AddressStatus-------------- -------- ---------- -----------
----------- -------"" NISpreferred1.1.3.4 1.1.3.4
OKexample.comMS-LDAPadequate DC-11.1.3.4
OKexample.comMS-LDAPadequate DC-21.1.3.5 OKexample.comMS-DCadequate
DC-11.1.3.4 OKexample.comMS-DCadequate DC-21.1.3.5 OKAdding or
removing preferred domain controllersData ONTAP automatically
discovers domain controllers through DNS. Optionally, you can add
oneor more domain controllers to the list of preferred domain
controllers on the Storage Virtual Machine(SVM) for the domain in
which the Active Directory computer account is configured.About
this taskThe vserver active-directory preferred-dc add and vserver
active-directorypreferred-dc remove commands are aliases of the
vserver cifs domain preferred-dcadd and vserver cifs domain
preferred-dc remove commands respectively. You can useeither set of
commands to manage preferred domain controllers for the Active
Directory domainaccount.Step1.Perform one of the following
actions:Configuring and managing Active Directory computer accounts
for SVMs (no CIFS license) | 37If you want to... Use the
command...Add preferred domaincontrollersvserver active-directory
preferred-dc add -vserver vserver_name -domain domain_name
-preferred-dc IP_address, ...Remove preferred
domaincontrollersvserver active-directory preferred-dc remove
-vserver vserver_name -domain domain_name -preferred-dc IP_address,
...-vserver vserver_name specifies the SVM name.-domain domain_name
specifies the fully qualified name of the domain to which the
domaincontrollers belong.-preferred-dc IP_address, ... specifies
one or more IP addresses of the preferred domaincontrollers to add
or remove, as a comma-delimited list. When adding preferred
domaincontrollers, the order of the comma-delimited list indicates
order of preference.ExamplesThe following command adds domain
controller IP addresses 10.1.1.10 and 10.1.1.20 to thelist of
preferred domain controllers that SVM vs1 uses to manage external
access to theexample.com domain. The example.com domain contains
the SVM Active Directory account.cluster1::> vserver
active-directory preferred-dc add -vserver vs1 -domain example.com
-preferred-dc 10.1.1.10,10.1.1.20The following command removes the
domain controller IP address 10.1.1.20 from the list ofpreferred
domain controllers that Storage Virtual Machine (SVM) vs1 uses to
manage externalaccess to the example.com domain.cluster1::>
vserver active-directory preferred-dc remove -vserver vs1 -domain
example.com -preferred-dc 10.1.1.20Displaying information about
preferred domain controllersYou can display information about the
list of preferred domain controllers for the domain to whichthe
Active Directory computer account for the Storage Virtual Machine
(SVM) is associated. Thiscan be helpful when you want to know which
domain controllers are contacted preferentially.About this taskThe
vserver active-directory preferred-dc show command is an alias of
the vservercifs domain preferred-dc show command. You can use
either command to displayinformation about preferred domain
controllers for the Active Directory domain account.38 | File
Access Management Guide for CIFSStep1.To display all or a subset of
the information related to discovered preferred domain
controllers,enter the following command:vserver active-directory
preferred-dc showBy default, the command displays the following
information about preferred domain controllers: SVM name Active
Directory domain name List of IP addresses of the preferred domain
controllersYou can customize the view by specifying optional
parameters. See the man page for thecommand for details.ExampleThe
following command displays all preferred domain controllers for SVM
vs1:cluster1::> vserver active-directory preferred-dc show
-vserver vs1Vserver Domain Name Preferred Domain
Controllers--------- -------------------
-----------------------------vs1 example.com 10.1.1.10,
10.1.1.20Configuring and managing Active Directory computer
accounts for SVMs (no CIFS license) | 39Configuring and managing
CIFS serversYou can configure and manage CIFS servers to let SMB
clients access files on your cluster. Eachdata Storage Virtual
Machine (SVM) in the cluster can be bound to exactly one Active
Directorydomain; however, the data SVMs do not need to be bound to
the same domain. Each data SVM canbe bound to a unique Active
Directory domain.Related conceptsHow to choose whether to create a
CIFS server or an Active Directory computer account on
page28Supported SMB clients and domain controllersBefore you can
use SMB with your Storage Virtual Machine (SVM), you need to know
which SMBclients and domain controllers Data ONTAP supports.For the
latest information about which SMB clients and domain controllers
Data ONTAP supports,see the Interoperability Matrix at
mysupport.netapp.com/matrix.Unsupported Windows featuresBefore you
use CIFS in your network, you need to be aware of certain Windows
features that DataONTAP does not support.Data ONTAP does not
support the following Windows features: Encrypted File System (EFS)
Logging of NT File System (NTFS) events in the change journal
Microsoft File Replication Service (FRS) Microsoft Windows Indexing
Service Remote storage through Hierarchical Storage Management
(HSM) Quota management from Windows clients Windows quota semantics
The LMHOSTS file NTFS native compression40 | File Access Management
Guide for CIFSWhere to find information about SMB support on
InfiniteVolumesFor information about the SMB versions and
functionality that Infinite Volumes support, see theClustered Data
ONTAP Infinite Volumes Management Guide.Related
informationClustered Data ONTAP 8.3 Infinite Volumes Management
GuideHow to choose whether to create a CIFS server or an
ActiveDirectory computer accountYou can configure your Storage
Virtual Machine (SVM) with a CIFS server that is a member of
anActive Directory domain, or if you do not have CIFS licensed, you
can create a computer account foryour SVM on an Active Directory
domain. You need to understand how the configurations differ andhow
to choose whether you should create a CIFS server or an Active
Directory computer account onyour SVM.You can only have one Active
Directory account per SVM. Therefore, you must make a choice
aboutwhether to create a CIFS server or an Active Directory
computer account. If you currently have an Active Directory
computer account configured on the SVM and yousubsequently license
CIFS on the cluster and want to create a full-function CIFS server
on theSVM, you must first delete the Active Directory computer
account. If you currently have a CIFS server on the SVM and you
subsequently do not need a full CIFSserver on the SVM and want to
configure an Active Directory computer account instead, youmust
first delete the CIFS server.CIFS serverYou should choose to create
a CIFS server if the following is true: You have CIFS licensed on
the cluster.The CIFS license can be on one or more nodes. You want
to offer file services and other value-add CIFS functionality, such
as home directoriesor symlink access to SMB clients.Active
Directory computer accountYou should choose to create an Active
Directory machine account if the following is true:Configuring and
managing CIFS servers | 41 You do not have CIFS licensed on the
cluster. You want to create an Active Directory computer account
for the SVM and use it for purposesother than file services or
value-add CIFS functionality.For example, you might want to use an
Active Directory account as the service account forapplications
accessing data over the iSCSI or FC protocols.Related
conceptsManaging Active Directory computer accounts on page
29Setting up the CIFS server on page 58Setting up CIFS servers on
SVMs with FlexVol volumesYou can enable and configure CIFS servers
to let SMB clients access files on your cluster. There area number
of tasks to plan and to complete when setting up a CIFS server on a
Storage VirtualMachine (SVM) with FlexVol volumes.For more
information about setting up CIFS servers on Storage Virtual
Machines (SVMs) withInfinite Volume, see the Clustered Data ONTAP
Infinite Volumes Management Guide.Prerequisites for CIFS server
setupCertain prerequisites must be met before you begin the CIFS
server setup process. CIFS must be licensed on the cluster. The
network to be used to connect the Storage Virtual Machine (SVM)
data LIFs to the outsidenetwork must be configured (cabled and
routing configured). You must have a list of IP addresses, the
subnet mask, and the default gateway to configure theSVM data LIFs.
The subnet you use when creating the SVM data LIFs must be routable
to all external serversrequired for services such as Active
Directory domain controllers and NIS, DNS, NDMP, andLDAP
servers.Note: In releases prior to clustered Data ONTAP 8.3, you
could use node and clustermanagement LIFs to contact external
servers for the SVM, provided that these LIFs couldroute to the
external servers. Starting with clustered Data ONTAP 8.3, you
cannot use node andcluster management LIFs to contact external
servers for the SVM. The administrator creating a CIFS server must
belong to the home domain or to a trusted domain.Related
conceptsSetting up the CIFS server on page 58Managing CIFS servers
on page 8242 | File Access Management Guide for CIFSPlanning the
CIFS server configurationBefore you create a CIFS server
configuration, you must understand what is involved in each step
ofthe configuration. You must decide what settings you need to use
when performing the configurationand record them in the planning
worksheets.You must plan for the following configuration tasks:
Setting up time services Setting up an IP space, broadcast domain,
and subnet Creating the Storage Virtual Machine (SVM) to which you
want the CIFS server to belong Setting up networking for the SVM
Setting up name services for the SVM Creating the CIFS
serverRelated conceptsSetting up the CIFS server on page
58Information to gather before configuring time servicesPrior to
creating a CIFS server, you must configure time services on the
cluster. When usingKerberos authentication, the cluster time and
the time on the domain controllers of the domain thatthe CIFS
server will join must match to within five minutes; otherwise, CIFS
server creation fails. Besure to record your time server IP
addresses.NTP time services is automatically enabled on the
cluster; however, you must specify the IPaddresses of the time
servers. You can specify up to three time servers.Types of
information Required Your valuesIP addresses of the time servers
YesAre the cluster time services and the time on the
domaincontrollers of the domain that the CIFS server will join set
up sothat the time skew between them is always less than five
min